[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-cpio] out-of-bounds write with cpio -i
|
From: |
Sergey Poznyakoff |
|
Subject: |
Re: [Bug-cpio] out-of-bounds write with cpio -i |
|
Date: |
Thu, 11 Dec 2014 12:35:22 +0200 |
Hi Pavel,
> There is still one new NULL pointer dereference.
Yes, I've noticed that too. I'll push a fix along with some other
changes soon.
> Also, the get_link_name
> does not guarantee the two possibilities only: "successful read of symlink
> name and seek the archive properly OR exit_failure" so cpio is unable to
> recovery, potentially.
In fact, there is little possibility for recovery. Before starting
looking for next file header, cpio has to skip the current member contents,
that is to go c_filesize bytes forward. If that field is incorrect,
it can of course skip some valid archive members or even get past end
of file (as it does in our case).
> Note also, that I had to install the attached fix for the testsuite - as
> the actual CVE fix causes different errors among different architectures.
> The tested scenario is too non-deterministic also.
Thanks!
Regards,
Sergey
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Florian Weimer, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/01
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/02
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i,
Sergey Poznyakoff <=
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Pavel Raiskup, 2014/12/11
- Re: [Bug-cpio] out-of-bounds write with cpio -i, Sergey Poznyakoff, 2014/12/11